Security audit

Henry OS

Security checks across malware telemetry and agentic risk

Overview

Henry OS is a coherent business automation skill, but it asks users to run an unverified remote installer and grant a persistent agent broad access to private communications and accounts while making overbroad privacy claims.

Review carefully before installing. This skill would run a remote installer and then operate as a persistent autonomous agent with access to private communications, calendar data, contacts, online accounts, and local projects. Only proceed if you trust the publisher and can verify the installer source; prefer a versioned installer with checksums or signatures, explicit per-account controls, and clear uninstall instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The document makes strong privacy/security claims that the system has 'no cloud dependencies' and 'works entirely offline after installation,' yet elsewhere it describes continuous monitoring of online services such as Upwork, LinkedIn, Reddit, email, and other channels. This mismatch can mislead users into granting broad permissions or deploying the tool under false assumptions about network use, data exposure, and trust boundaries.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The installation instructions tell users to execute a remote shell script directly from the network with no integrity verification, review step, or warning. If the hosting domain, TLS termination, or upstream script is compromised, arbitrary code will run immediately on the user's machine with the user's privileges.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The install command pipes a remotely fetched script directly into bash without any integrity verification, review step, or warning to the user. This creates a direct remote-code-execution path where a compromised server, poisoned DNS/TLS trust chain, or malicious upstream change can execute arbitrary commands on the host at install time.

VirusTotal

1/64 vendors flagged this skill as malicious, and 63/64 flagged it as clean.

View on VirusTotal